File name:	Sigmanly_ae93fcc51ee960c8da7d9a1fc4a83ebe429dfca2062985c57bec27037cff1d91
Full analysis:	https://app.any.run/tasks/af0b2c6a-c53c-47a9-ba4e-630b9f4aa2d4
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	May 15, 2025, 14:39:47
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	stealer delphi inno installer
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:	4351880FF248144B264A40C1B17770E1
SHA1:	03628A8470A7D303583B02322B246A539B042724
SHA256:	AE93FCC51EE960C8DA7D9A1FC4A83EBE429DFCA2062985C57BEC27037CFF1D91
SSDEEP:	196608:U3MaIQyHXxaKkDph3QK1wzFAPbgLRqZUTgjqO7ZIXc1wJXQnnfT:aMa4XxfKph3QK1iFSb2qZUTwqO7OZX2

.exe	\|	Win32 Executable (generic) (42.6)
.exe	\|	Win16/32 Executable Delphi generic (19.5)
.exe	\|	Generic Win/DOS Executable (18.9)
.exe	\|	DOS Executable Generic (18.9)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2016:04:06 14:39:04+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	66560
InitializedDataSize:	438272
UninitializedDataSize:	-
EntryPoint:	0x117dc
OSVersion:	5
ImageVersion:	6
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	12.0.1.0
ProductVersionNumber:	12.0.1.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	This installation was built with Inno Setup.
CompanyName:	Auslogics
FileDescription:	Auslogics Disk Defrag Installation File
FileVersion:	12.x
LegalCopyright:	Copyright © 2008-2025 Auslogics Labs Pty Ltd
ProductName:	Auslogics Disk Defrag
ProductVersion:	12.0.1.0
OriginalFileName:	disk-defrag-setup.exe
InternalName:	disk-defrag-setup


(PID) Process:	(2432) Sigmanly_ae93fcc51ee960c8da7d9a1fc4a83ebe429dfca2062985c57bec27037cff1d91.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Auslogics\Disk Defrag\12.x\Settings
Operation:	write	Name:	General.Tracking.URLMarkers
Value: diskdefragnosid
(PID) Process:	(2432) Sigmanly_ae93fcc51ee960c8da7d9a1fc4a83ebe429dfca2062985c57bec27037cff1d91.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(2432) Sigmanly_ae93fcc51ee960c8da7d9a1fc4a83ebe429dfca2062985c57bec27037cff1d91.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(2432) Sigmanly_ae93fcc51ee960c8da7d9a1fc4a83ebe429dfca2062985c57bec27037cff1d91.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(2432) Sigmanly_ae93fcc51ee960c8da7d9a1fc4a83ebe429dfca2062985c57bec27037cff1d91.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D484312-1B14-96B5-2103-31B346D1CE61}\Version
Operation:	write	Name:	Assembly
Value: 6439EB7E2F3A221EA8070548D31E5F006439EB7E2F3A221EA8070548D31E5F0088AD8CBB5ED3F66B83A8A2CDF194269C890BB34AEBD806E41A50D3BD9C0B4765219909F09E75DEC0927FF4E8152284CD219909F09E75DEC0927FF4E8152284CD59B5414605BAE21E9735786EB516D3F8DE1283C2AFF9BF99D33ED2740C86BBD2F8157495FE950FA4A01046BB55F00DAD0F20AA1B1ADFE602954529934D03147D
(PID) Process:	(2432) Sigmanly_ae93fcc51ee960c8da7d9a1fc4a83ebe429dfca2062985c57bec27037cff1d91.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Auslogics\Disk Defrag\12.x\Settings
Operation:	write	Name:	General.Language
Value: ENU
(PID) Process:	(2432) Sigmanly_ae93fcc51ee960c8da7d9a1fc4a83ebe429dfca2062985c57bec27037cff1d91.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Auslogics\Disk Defrag\12.x\Settings
Operation:	write	Name:	General.Analytics.GAUserCountryCode
Value: IQ

PID	Process	Filename		Type
960	Sigmanly_ae93fcc51ee960c8da7d9a1fc4a83ebe429dfca2062985c57bec27037cff1d91.exe	C:\Users\admin\AppData\Local\Temp\is-728H3.tmp\Sigmanly_ae93fcc51ee960c8da7d9a1fc4a83ebe429dfca2062985c57bec27037cff1d91.tmp		executable
		MD5:47EA2E549E577D64D9888D856113C896	SHA256:A9D61AB0D4215533DE00D9F1D6E561684F25BDD5785B6330A02E4A1599AE211C
2432	Sigmanly_ae93fcc51ee960c8da7d9a1fc4a83ebe429dfca2062985c57bec27037cff1d91.tmp	C:\Users\admin\AppData\Local\Temp\is-T0I6U.tmp\Integrator.exe		executable
		MD5:6C68C9F2308B42B11D29229D7468B0A5	SHA256:BCF9AF625A612F5C84940E195C68D85AB32D24337D22983CC61F2BC60204DD2D
2432	Sigmanly_ae93fcc51ee960c8da7d9a1fc4a83ebe429dfca2062985c57bec27037cff1d91.tmp	C:\Users\admin\AppData\Local\Temp\is-T0I6U.tmp\CFAHelper.dll		executable
		MD5:AB21E079539A7D3D8B95531A756BFAC7	SHA256:3D9CB1D34817B577ADEC0278ACFB72924BDFE1937B74613937379AA83FF594D1
2432	Sigmanly_ae93fcc51ee960c8da7d9a1fc4a83ebe429dfca2062985c57bec27037cff1d91.tmp	C:\Users\admin\AppData\Local\Temp\is-T0I6U.tmp\Localizer.dll		executable
		MD5:CF2A768A4A795E3BFA42021037C1AF59	SHA256:2A50B6D34FB593FA37D3674EABEB400A3E599E07F8BD9AF19F9FF12C74C1028E
2432	Sigmanly_ae93fcc51ee960c8da7d9a1fc4a83ebe429dfca2062985c57bec27037cff1d91.tmp	C:\Users\admin\AppData\Local\Temp\is-T0I6U.tmp\BrowserHelper.dll		executable
		MD5:B76BB772F256F7C9CA6681AAF13F5E32	SHA256:03B80AB1144FE136FA32A4E9B47898527CBFD0E213A76B648F089959D92A99F9
2432	Sigmanly_ae93fcc51ee960c8da7d9a1fc4a83ebe429dfca2062985c57bec27037cff1d91.tmp	C:\Users\admin\AppData\Local\Temp\is-T0I6U.tmp\SetupCustom.dll		executable
		MD5:62A8EDE79D2A3571BC989654875BF18D	SHA256:24E7E353E1F2C89AA145DF2AFC538D4FD8A9EC46EC7FE8610351DEFE830DD392
2432	Sigmanly_ae93fcc51ee960c8da7d9a1fc4a83ebe429dfca2062985c57bec27037cff1d91.tmp	C:\Users\admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat		—
		MD5:—	SHA256:—
2096	Sigmanly_ae93fcc51ee960c8da7d9a1fc4a83ebe429dfca2062985c57bec27037cff1d91.exe	C:\Users\admin\AppData\Local\Temp\is-IF0HG.tmp\Sigmanly_ae93fcc51ee960c8da7d9a1fc4a83ebe429dfca2062985c57bec27037cff1d91.tmp		executable
		MD5:47EA2E549E577D64D9888D856113C896	SHA256:A9D61AB0D4215533DE00D9F1D6E561684F25BDD5785B6330A02E4A1599AE211C
2432	Sigmanly_ae93fcc51ee960c8da7d9a1fc4a83ebe429dfca2062985c57bec27037cff1d91.tmp	C:\Users\admin\AppData\Local\Temp\is-T0I6U.tmp\vcl250.bpl		executable
		MD5:E4F482E3F7EB949256402C38E467122F	SHA256:10B9D8569B8F9E9E46E7A579855492353C43F1E3B5D4A28959015BED5570350C
2432	Sigmanly_ae93fcc51ee960c8da7d9a1fc4a83ebe429dfca2062985c57bec27037cff1d91.tmp	C:\Users\admin\AppData\Local\Temp\is-T0I6U.tmp\esp.lng		binary
		MD5:355B95146C8F273C6A10BDDED4899E3D	SHA256:BAC602864F2D0950995379DB7A4DCE0B0128082A66F4270F8759D9F8FC0EF93A

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	2.20.245.137:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	2.20.245.137:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2104	svchost.exe	GET	200	104.119.109.218:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	104.119.109.218:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5776	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
5776	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
5776	SIHClient.exe	GET	200	2.19.11.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
5776	SIHClient.exe	GET	200	2.19.11.120:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
5776	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
5776	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	20.190.160.128:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
2104	svchost.exe	2.20.245.137:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
—	—	2.20.245.137:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
2104	svchost.exe	104.119.109.218:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	104.119.109.218:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
6544	svchost.exe	20.190.160.128:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3216	svchost.exe	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted

Domain	IP	Reputation
login.live.com	20.190.160.128 20.190.160.3 40.126.32.72 20.190.160.65 40.126.32.133 20.190.160.20 40.126.32.136 40.126.32.140	whitelisted
client.wns.windows.com	172.211.123.249 172.211.123.248	whitelisted
google.com	142.250.185.110	whitelisted
crl.microsoft.com	2.20.245.137 2.20.245.139 2.19.11.120 2.19.11.105	whitelisted
www.microsoft.com	104.119.109.218 2.23.246.101	whitelisted
www.auslogics.com	45.79.82.237	whitelisted
settings-win.data.microsoft.com	20.73.194.208 51.124.78.146	whitelisted
slscr.update.microsoft.com	20.109.210.53	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

General Info

Sigmanly_ae93fcc51ee960c8da7d9a1fc4a83ebe429dfca2062985c57bec27037cff1d91

4351880FF248144B264A40C1B17770E1

03628A8470A7D303583B02322B246A539B042724

AE93FCC51EE960C8DA7D9A1FC4A83EBE429DFCA2062985C57BEC27037CFF1D91

196608:U3MaIQyHXxaKkDph3QK1wzFAPbgLRqZUTgjqO7ZIXc1wJXQnnfT:aMa4XxfKph3QK1iFSb2qZUTwqO7OZX2

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

Steals credentials from Web Browsers

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Reads the Windows owner or organization settings

Process drops SQLite DLL files

Reads the BIOS version

There is functionality for communication over UDP network (YARA)

There is functionality for taking screenshot (YARA)

Reads browser cookies

INFO

Create files in a temporary directory

Checks supported languages

Reads the computer name

Process checks computer location settings

The sample compiled with english language support

Reads Environment values

Reads the machine GUID from the registry

Reads the software policy settings

Compiled with Borland Delphi (YARA)

Detects InnoSetup installer (YARA)

Creates files or folders in the user directory

Creates files in the program directory

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings